DNSSEC on pfSense

danswartz · Dec 17, 2010, 7:21 PM

What I am doing for now: adding 2-3 entries in /etc/hosts on a couple of the servers that need to be able to talk to other servers, even if pfsense is offline. I do want to try replacing dnsmasq with unbound and see how it works…

wagonza · Dec 17, 2010, 8:50 PM

@danswartz:

EDIT: I think I'm just out of luck. Found a thread from last year where some other soul was trying to get zone transfers to work with tinydns and the last post indicated failure. Sigh…

Give me a few weeks, I have a need to implement NSD(http://www.nlnetlabs.nl/projects/nsd/) instead of using TinyDNS. This should hopefully help you.

wagonza · Dec 17, 2010, 8:53 PM

@jlepthien:

Hey m8. That works! So is it just the GUI that has got problems? Will this stay after a reboot? Or do I need to edit the unbound.conf by hand? But now I DNSSEC does not seem to be working. The http://test.dnssec-or-not.org/ url does not even open…

Also http://www.dnssec-tools.org/testzone/ does not open? Does it open for you?

Yeah I believe Unbound can't validate the answers from OpenDNS because they don't support DNSSec, hence why you get an invalid reply.

danswartz · Dec 17, 2010, 9:14 PM

Thanks for the hard work. I will stay tuned :)

jlepthien · Dec 17, 2010, 9:30 PM

@wagonza:

I upped the version number and hopefully also fixed the file system errors.

Does not work here. When enabling the forward mode the servers do not get written and unbound-config forward still says 'off'. Since OpenDNS is not supporting DNSSEC anyway I might as well stick to dnsmasq or disable DNSSEC…

_igor_ · Dec 18, 2010, 2:03 AM

I think you know it, but here for future? reference…

http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf
Sounds interesting...

wagonza · Dec 18, 2010, 7:23 AM

@jlepthien:

Does not work here. When enabling the forward mode the servers do not get written and unbound-config forward still says 'off'. Since OpenDNS is not supporting DNSSEC anyway I might as well stick to dnsmasq or disable DNSSEC…

Just do a grep reload /usr/local/pkg/unbound.inc - that should return zero results. If it does then you will need to uninstall the package and then re-install.

Otherwise yeah disable DNSSec or stick to DNSMasq for now :$ OpenDNS do say they will eventually support DNSSec if gains more traction…

wagonza · Dec 18, 2010, 7:24 AM

@_igor_:

I think you know it, but here for future? reference…

http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-dn-dnssec-nsd.pdf
Sounds interesting...

thanks - will check this out.

mromero · Dec 31, 2010, 4:04 AM

On the latest snapshot of today i386 still getting:

Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???

wagonza · Jan 3, 2011, 5:41 PM

@mromero:

On the latest snapshot of today i386 still getting:

Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???

Is this still a problem? I can only assume DNSMasq was re-enabled.

I have been away for the last week - hence the late reply.

mromero · Jan 4, 2011, 9:09 PM

On latest snapshot of today 4 January same old:

Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'

@wagonza:

@mromero:

On the latest snapshot of today i386 still getting:

Dec 30 23:36:31 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1293752191] unbound[53513:0] error: bind: address already in use [1293752191] unbound[53513:0] fatal error: could not open ports'
???

Is this still a problem? I can only assume DNSMasq was re-enabled.

I have been away for the last week - hence the late reply.

mromero · Jan 6, 2011, 4:29 AM

It appears we are close to a RC1 candidate with so many things broken?

One of the developers tweeted:

"DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet"

Could this be why no one seems to care about the Unbound package?

_igor_ · Jan 6, 2011, 2:17 PM

I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".

mromero · Jan 6, 2011, 4:13 PM

Here is the original Tweet, but I notice the URL goes to a 404 - do not known what to make of it:

sullrich Scott Ullrich
DNSSEC is right now the top, by far the top distributed denial of service amplifier on the internet. -DJB http://ha.cx/DJB.mp4

29 Dec

@_igor_:

I would be interested in infos about it. Searching the net i only get - nothing! So no explanation nor other info. Sounds a bit like "Windows is the most secure software known".

wagonza · Jan 6, 2011, 7:15 PM

@mromero:

On latest snapshot of today 4 January same old:

Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'

Can you check if this happens next time and if so issue the following command when you see this error:

sockstat -4 -p 53

_igor_ · Jan 6, 2011, 11:38 PM

Found something about the "denial of service amplifier" of DNSSEC: There was a discussion at the 27c3 in Berlin at the end of 2010… Was about the weakness of DNSSEC and the glory of dnscurve...

It can be found here: http://events.ccc.de/congress/2010/wiki/Conference_Recordings (Its Number 4295)
http://events.ccc.de/congress/2010/Fahrplan/attachments/1773_slides.pdf

And here an interesting opinion from Dan Kaminsky: http://dankaminsky.com/2011/01/05/djb-ccc/

Maybe all this clears some things up (or not ;-)

mromero · Jan 7, 2011, 12:12 AM

Hi Wagonza. I ran the command from Shell and copied this result in longhand from the console:

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS

unbound unbound 22871 12 udp4 192.168.1.1:53 :
unbound unbound 22871 13 tcp4 192.168.1.1:53 :

@wagonza:

@mromero:

On latest snapshot of today 4 January same old:

Jan 4 21:06:41 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294175201] unbound[48254:0] error: bind: address already in use [1294175201] unbound[48254:0] fatal error: could not open ports'

Can you check if this happens next time and if so issue the following command when you see this error:

sockstat -4 -p 53

gnhb · Jan 8, 2011, 12:21 AM

@_igor_:

And here an interesting opinion from Dan Kaminsky: http://dankaminsky.com/2011/01/05/djb-ccc/

Maybe all this clears some things up (or not ;-)

This was a great read from Dan Kaminsky. I'm a DNSSEC convert! :)

Check out his slides from his BlackHat talk too. http://dankaminsky.com/phreebird/

Time to check out Unbound . . .

GB

ToxIcon · Jan 8, 2011, 5:35 AM

just install Unbound on 2.0beta5 full install, install went good with no errors Its up and running but when i go to test.dnssec-or-not.org I get No, you are not using DNSSEC,
If you guys dont mind Can someone with Unbound working up and running post pics of their Unbound DNS Settings thanks.

wagonza · Jan 8, 2011, 8:13 AM

@mromero:

Hi Wagonza. I ran the command from Shell and copied this result in longhand from the console:

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS

unbound unbound 22871 12 udp4 192.168.1.1:53 :
unbound unbound 22871 13 tcp4 192.168.1.1:53 :

hmm … this shows that Unbound is listening - in this instance did you get a log entry with the failure to start for Unbound?
If so then it appears that for some reason Unbound is trying to be started twice on your system.